Susan Duclos

Feb. 14, 2016

"Imagine if the internet went down for several days, I believe we would see significant power grid failure and potentially loss of emergency services. This could mean the failure of dams and flood controls, power and water distribution, natural gas distribution and control failure, and more.

Perhaps the most alarming aspect would be to the financial sector. I believe that loss of the internet for even a two week period could cause enough disruption to financial institutions that consumers would lose confidence and this could be catastrophic to the markets. All of this could set up a chain reaction that could send the public in to a panicked tailspin."- Information security expert Eddie Mize

That scenario almost played out between November 30 and December 1, 2015, a little over two months ago as hackers once again tested the vulnerabilities of the Internet by attacking the 13 root name servers in the world that run the internet. According to the initial report from IBTimes "these servers are responsible for helping your web browser to locate top-level domains such as .com, .org, .net or any country-specific top level domains like .uk, .fr, .sg, .de, .ae and .cn. The servers function as a sort of internet address book and they make up what is known as the domain name system (DNS) system."

Between 30 November and 1 December, an entity carried out an enormous DDoS attack against these 13 root name servers, flooding them with a deluge of traffic from multiple IPv4 addresses, so that the servers received more than five million queries per second, and more than 50 billion queries in total during the two-day period. To give you context, over the past two years, the most queries Verisign's A root name server received per day on average has never topped more than 10 billion queries.

"While it's common for the root name servers to see anomalous traffic, including high query loads for varying periods of time, this event was large, noticeable via external monitoring systems, and fairly unique in nature," Root-servers.org, which is run by the operators of the root name servers, wrote in its incident report.

As security experts, analysts and hackers investigated this third similar attack of its kind against the root name servers (first was in 2002, second in 2007) more information became available about the size and scope of these attacks as well as the potential to literally cripple the entire internet.

The following day IBTimes spoke to cybersecurity expert John McAfee who said the attack was even more severe than previously thought and along with notorious hacker Chris Roberts and DEFCON organiser Eddie Mize, believe they may have uncovered the method used... smartphones used to create a "zombie army" botnet after users unwittingly installed a mysterious app.

McAfee told IBTimes on December 11, 2015 "If there were 100 million users of an app, only 0.1% of the phones would have to be activated in order to achieve the effects that we saw."

He also issued a warning that no one wants to ever hear from a man who has created an empire in the cybersecurity business, stating the threat "is as serious as it gets," and that "We have absolutely no defenses in place to counter this threat. If the perpetrators had activated a mere order of magnitude more phones we would have lost the internet."

Should such a botnet be fully deployed, the global impact would be "catastrophic" for financial and essential services, according to Roberts, while Mize believes "we have no defenses [against a mobile app botnet] and it was entirely unanticipated. The people in power need to be woken up before the world, as we know comes to an end."

"I feel certain that the IS news app was the source of the DDoS attack," cybersecurity expert John McAfee tells IBTimes UK. "One of my researchers has discovered encrypted packets being sent to the Amaq Agency news app.

"We found the 13 Root Server Addresses in the app memory while the app was running. The addresses did not appear inside the static app. The addresses therefore had to be decrypted at run time. Why would they encrypt the addresses inside the app unless they were trying to hide the true purpose of the app? This is the smoking gun we were looking for."

John Cassaretto, founder of web security firm BlackCert, believes that if the Amaq Agency app is behind the botnet, then the recent attack on the root name servers may have just been the first wave.....

They are learning, testing the vulnerabilities as evidenced by the first attack in 2002 which was unable to garner enough traffic to fully flood the servers and take them offline, while the second attack in 2007 managed to damage two root servers while pushing inordinately heavy traffic onto two others.

Technology dependent on computers which are just as dependent on the Internet include some of the most critical infrastructure of the nation, many of which are interconnected. Power grids, financial markets, airline routes, military weapons, traffic lights, water, seweage, and even our communication systems, just to list a few examples, are all dependent on the Internet in some fashion or form, so the quote at the top of this article by Mr. Mize is in no way over-stated and if anything is probably an understatement.